Netwalker ransomware

Netwalker ransomware – a type of malware that focuses on attacking cities and organisations

Netwalker ransomware is a data locker that asks for high ransoms in Bitcoin for data recovery software

Netwalker ransomware is a data locker that asks for high ransoms in Bitcoin for data recovery software

Netwalker ransomware, otherwise known as Mailto ransomware, is a file locking virus that was first spotted in August 2019, and since then keeps attacking high profile companies and even municipalities. The most recent victim of malware – Illinois Public Health District website, which was used to deliver information to people about the COVID-19 virus.^[1] Luckily, the health organization managed to recover swiftly and did not pay the ransom.

The main goal of Netwalker virus – encrypt pictures, documents, databases, and other data on the machines and networks with AES cipher and then demand a ransom payment for the decryption tool that can return files into their original state. Typically, suchlike data is marked with a unique code (ID), which usually consists of six or five alphanumeric characters, for example, .e85fb1, .c3f7e, or 531c5d. In earlier versions, Netwalker ransomware also used .mailto extension – hence the original name.

After the data locking process, the Netwalker virus delivers a ransom note which name compiles of victim’s ID – “ID-Readme.txt,” which also matches the marker appended to each of the locked files. Inside the note, cybercriminals explain that their system was compromised, and that they need to pay a ransom in cryptocurrency in order to regain access to data. For communication purposes, criminals provide email addresses, such as [email protected], [email protected], or [email protected], although in the newest variants users are asked to connect to a Tor network instead.

There are several different ways of Netwalker ransomware delivery – malicious actors often employ several attack vectors to infect as many victims as possible. The most common distribution methods include:

• Spam email attachments or hyperlinks
• Software vulnerabilities and exploit kits^[2]
• Malicious ads
• Fake updates
• Weakly protected RDP connections
• Software cracks, etc.

If you were unlucky enough to get infected with this virus, you should pay close attention to your computing practices in the future – you can find more tips in the second section of this article. Nevertheless, you should now focus on alternative methods for data recovery, as well as Netwalker ransomware removal.

Before the Netwalker file virus begins the encryption process, it first modifies Windows systems in order to operate as intended. For example, it uses a built-in API to inject malicious code into the explorer.exe process, which is protected – it helps the encryption to be performed successfully.

Netwalker is a ransomware-type virus that encrypts all personal files with the help AES encryption algorithm

Netwalker is a ransomware-type virus that encrypts all personal files with the help AES encryption algorithm

Additionally, Netwalker ransomware also performs other standard changes for a successful infection routine, including deletion of Shadow Volume Copies, insertion of new malicious files and processes, modification of Windows registry database, etc. To revert these changes later after malware termination, you can use repair tools like Reimage Reimage Cleaner Intego.

Once the preparations are complete, Netwalker ransomware will begin to scan the system for data to encrypt – it targets the most commonly used file types, including .pdf, .jpg, .dat, .xlsx, .mp4, .txt, .zip, and many others. This way, cybercriminals guarantee that they can cause maximum damage to users and encourage them to pay the ransom. Despite that, the main goal of Netwalker virus authors is not to corrupt the system, so it skips files located in Windows, Program Files, Microsoft, Internet Explorer, and other folders.

Depending on the version of the infection, Netwalker ransomware will append each of the files with a particular extension, which usually includes a contact email. For example, an encrypted file would look as follows: document.xlsx.mailto[[email protected]].25b0a. The shortcut of the file would no longer represent the app it usually can be opened with, and instead, victims will not be able to use data at all.

The ransom note that the virus drops also varies slightly, depending on the version. The most recent Netwalker ransomware note reads the following:

Hi!
Your files are encrypted by Netwalker.
All encrypted files for this computer has extension .531c5d
—
If for some reason you read this text before the encryption ended,
this can be understood by the fact that the computer slows down,
and your heart rate has increased due to the ability to turn it off,
then we recommend that you move away from the computer and accept that you have been compromised.
Rebooting / shutdown will cause you to lose files without the possibility of recovery.
—
Our encryption algorithms are very strong and your files are very well protected, you can’t hope to recover them without our help.
The only way to get your files back is to cooperate with us and get the decrypter program.
For us this is just business and to prove to you our seriousness, we will decrypt you one file for free.
Just open our website, upload the encrypted file and get the decrypted file for free.
—
Steps to get access on our website:

1. Download and install tor-browser:  https://torproject.org/
2. Open our website: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion/
3. Put your personal code in the input form:

{code_531c5d:

Netwalker ransomware uses symmetric encryption algorithm AES, which means that the same secret key is used to lock and unlock data on the infected machine. There is no point in trying to guess it or acquiring this key from another victim, as it is unique per person. Unfortunately, there are very few possibilities to recover data without backups. However, if you think that paying criminals for Netwalker ransomware decryptor is a good idea, you should think twice, as they might simply not deliver the tool, and you will end up using your money along with data.

First Netwalker ransomware versions simply asked users to send an email to the attackers, while later versions use Tor for that purpose

First Netwalker ransomware versions simply asked users to send an email to the attackers, while later versions use Tor for that purpose

Thus, remove Netwalker ransomware first with the help of anti-malware software that detects the threat,^[3], and then attempt to recover data using alternative methods we provide below. Nevertheless, we also advise making a copy of encrypted data prior to any actions.

Protecting your files from ransomware

As mentioned above, there are several methods for how ransomware manages to penetrate user devices. Some of the techniques used might be primitive, while others – more sophisticated, although the result remains the same for victims – their files are locked and can no longer be accessed. It is also important to note that file encryption and computer encryption are two separate actions, and malware removal will not return files into their original state. Precisely due to this reason, ransomware is so devastating.

While data backups can help a lot when dealing with file locking virus, malicious actors most recently started a disastrous trend – they threaten to publish information stolen from the infected machines. For a company or a business, suchlike data disclosure can be devastating. Thus, the best way to battle ransomware is not to get infected in the first place – here are some tips that could help you repel malware in the future:

• Equip your computer and networks with sophisticated anti-malware software;
• Protect your Remote Desktop connections: never use a default TCP/UDP port, use a VPN, disconnect from the service as soon as it is not needed, use strong passwords to protect access;
• Do not download pirated application installers or software cracks/loaders/keygens;
• When dealing with new emails, watch out for attachments like .pdf, .doc, .exe, .zip, or similar, as they could contain malware. Additionally, hover your mouse on a hyperlink and check the real address before clicking on it;
• Use two-factor authentication where possible;
• Update your operating system along with all the installed applications as soon as security patches are shipped.

Finally, you should always ensure that you store backups of your most important files, and they should not be connected with your main system in any way.

Terminate the Netwalker virus infection

Most users who get infected with ransomware never dealt with the infection before, so they usually don’t know how to proceed. Indeed, having all files get locked can be a devastating and frightening experience for many, especially those that have important data on the infected machine. That being said, you should not rush Netwalker ransomware removal, as the action could permanently damage the encrypted files. In such a case, even a working decryption tool might fail to retrieve the compromised data.

Unfortunately, there is no decryption tool for Netwalker ransomware available yet, so recovery options are very limited

Unfortunately, there is no decryption tool for Netwalker ransomware available yet, so recovery options are very limited

Therefore, you should backup encrypted files and only then remove Netwalker ransomware from your computer. For that, you should use reputable anti-malware software and perform a full system scan (if you need to access Safe Mode, please check the instructions below). As previously stated, this action would not recover your files, unfortunately, so you are left with a limited number of options:

1. paying criminals
2. trying third-party software
3. waiting till security experts develop a free decryptor.

None of these are ideal and pose a risk – that is why having backups is so important when dealing with ransomware. Our advice would be trying recovery software first and then exploring other options, as required.